[Emerging-Sigs] Proposed Base64 Encoded MZ

Nathan nathan at packetmail.net
Wed Feb 26 05:13:25 HST 2020


I was farting around with https://urlhaus.abuse.ch/url/319004/ and I noticed
that in the ET ruleset there was limited coverage for a MZ being shuffled
across HTTP/HTTPS in a base64 encoded format.  Since base64 encoded MZs on
Pastebin is rather common I was a bit surprised.  There is a similar ETPRO
rule, however, it fixates on MZ stuffing in certificates.

May I respectfully propose the below, which is a superset of "ETPRO TROJAN EXE
Disguised as Certificate" sid:2827736:

alert http $EXTERNAL_NET any -> $HOME_NET any (
msg:"ET TROJAN EXE Base64 Encoded potential malware";
flow:established,from_server;
file_data;
content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
fast_pattern;
content:!"<html"; nocase;
content:!"<body"; nocase; 
content:!"<script"; nocase;
reference:url,urlhaus.abuse.ch/url/319004/;
classtype:trojan-activity;
sid:X;
rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
attack_target Client_Endpoint, deployment Perimeter, signature_severity Major,
created_at 2020_02_26, performance_impact Moderate;
)




More information about the Emerging-sigs mailing list